Proper fix for #1146 (/ has been escaped with \/ in output)

2025-12-06 20:51:31 +00:00 · 2015-11-09 14:05:53 +01:00
parent 22484c8599
commit 17350fb4ec
2 changed files with 14 additions and 7 deletions
--- a/lib/core/target.py
+++ b/lib/core/target.py
@@ -318,13 +318,11 @@ def _setRequestParams():

    # Perform checks on header values
    if conf.httpHeaders:
-        for httpHeader, headerValue in conf.httpHeaders:
+        for httpHeader, headerValue in list(conf.httpHeaders):
            # Url encoding of the header values should be avoided
            # Reference: http://stackoverflow.com/questions/5085904/is-ok-to-urlencode-the-value-in-headerlocation-value

-            httpHeader = httpHeader.title()
-
-            if httpHeader == HTTP_HEADER.USER_AGENT:
+            if httpHeader.title() == HTTP_HEADER.USER_AGENT:
                conf.parameters[PLACE.USER_AGENT] = urldecode(headerValue)

                condition = any((not conf.testParameter, intersect(conf.testParameter, USER_AGENT_ALIASES, True)))
@@ -333,7 +331,7 @@ def _setRequestParams():
                    conf.paramDict[PLACE.USER_AGENT] = {PLACE.USER_AGENT: headerValue}
                    testableParameters = True

-            elif httpHeader == HTTP_HEADER.REFERER:
+            elif httpHeader.title() == HTTP_HEADER.REFERER:
                conf.parameters[PLACE.REFERER] = urldecode(headerValue)

                condition = any((not conf.testParameter, intersect(conf.testParameter, REFERER_ALIASES, True)))
@@ -342,7 +340,7 @@ def _setRequestParams():
                    conf.paramDict[PLACE.REFERER] = {PLACE.REFERER: headerValue}
                    testableParameters = True

-            elif httpHeader == HTTP_HEADER.HOST:
+            elif httpHeader.title() == HTTP_HEADER.HOST:
                conf.parameters[PLACE.HOST] = urldecode(headerValue)

                condition = any((not conf.testParameter, intersect(conf.testParameter, HOST_ALIASES, True)))
@@ -351,6 +349,15 @@ def _setRequestParams():
                    conf.paramDict[PLACE.HOST] = {PLACE.HOST: headerValue}
                    testableParameters = True

+            else:
+                condition = intersect(conf.testParameter, [httpHeader], True)
+
+                if condition:
+                    conf.parameters[PLACE.CUSTOM_HEADER] = str(conf.httpHeaders)
+                    conf.paramDict[PLACE.CUSTOM_HEADER] = {httpHeader: "%s,%s%s" % (httpHeader, headerValue, CUSTOM_INJECTION_MARK_CHAR)}
+                    conf.httpHeaders = [(header, value.replace(CUSTOM_INJECTION_MARK_CHAR, "")) for header, value in conf.httpHeaders]
+                    testableParameters = True
+
    if not conf.parameters:
        errMsg = "you did not provide any GET, POST and Cookie "
        errMsg += "parameter, neither an User-Agent, Referer or Host header value"